IRS needs to tighten security settings: TIGTA
Connecting state and local government leaders
The IRS has not consistently maintained the security settings it established and deployed under a common operating environment, resulting in a high risk of exploitation for some of its computers, according to the Treasury Department's inspector general for tax administration.
The IRS has not consistently maintained the security settings it established and deployed under a common operating environment (COE), resulting in a high risk of exploitation for some of its computers, according to the Treasury Department's inspector general for tax administration.
The IRS has adopted a common operating environment for security configurations on all of its workstations. The common environment lets IRS control security configuration settings and software on workstations by using one master COE template, which the IRS installs on its computers. The IRS has installed the master COE image on 95 percent of its computers, TIGTA said in its report released today.
Agencies must be able to control security settings under the Federal Information Security Management Act to strengthen the security of federal systems.
'The COE essentially minimizes the risk of someone compromising computers on the IRS network,' said Michael Phillips, TIGTA's deputy inspector general for audit, in the report.
Of 102 computers tested, only 41 percent continued to be in compliance; 59 percent were not or contained at least one high-risk vulnerability that would allow the computer to be exploited or rendered unusable. Almost one-half of the compliant computers contained at least one incorrect setting that could allow employees to circumvent security controls established by the common operating environment.
Also, at the time of the audit, the COE security settings had not been installed on more than 4,700 computers. Without them, computers were missing security patches and at high risk for viruses.
TIGTA recommended that the IRS hold system administrators accountable for maintaining adequate security settings and periodically check configurations on a sample of computers to assure that they continue to comply with the COE. Computers that do not have the common environment should have it installed, or the computers replaced or brought manually into compliance with the prescribed security configurations, TIGTA said in its report.
In addition, the IRS at the time did not own a software license tracking or metering tool that could identify software use for a baseline inventory. For example, the IRS spends up to $32 million annually for Microsoft Office suite products. But the IRS could not explain how it arrived at the number of licenses needed.
'Without the ability to track software usage and licenses, the IRS may have unused licenses available that could be redistributed or have licenses that are not needed,' Phillips said.
The IRS has established a combined Modernization and Information Technology Services organization to prioritize corrective actions that were recommended, which reduces the security risk, said IRS CIO Todd Grams said in a response last month.
'We believe the recommendations in this audit are low-risk control deficiencies,' he said.
Also, as the tax agency has replaced computers and moved from the Windows NT environment, more computers are running the common operating environment security control settings.
The IRS will direct system administrators this week to ensure that the password-protected start-up process is enabled and that the system administrator accounts are limited to those who need them to carry out their responsibilities.
The IRS has already targeted noncompliant workstations with distribution of baseline COE patches and security settings. By June, IRS will develop a recurring report to identify those computers that do not meet the current version.
By August, the IRS will deploy a software metering tool to gather data about software usage and related costs. And to improve oversight of its software licensing, the IRS will implement a software inventory application by October.